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DETAILED ACTION 

1. This is in response to the amendments filed on 06/01/09. Claims 1, 4, 9, 16 and 34 have 
been amended; Claims 27-29 have been cancelled; Claim 35 has been added; Claims 1-26 and 
30-35 are pending and have been considered below. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1 . 1 7(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 06/01/09 has been entered. 

Claim Objections 

3. Claim 16 is objected to because of the following informalities: the Examiner notes that 
the instant claim currently recites, "A tangible computer storage medium... comprising", and may 
potentially encompass non-statutory subject matter, which does not appear to be the Applicant's 
intent. The Applicant is kindly requested to clarify the claim by amending the claim to recite, "A 
tangible computer storage medium. . . the computer executable code comprising" or the like. 
Appropriate correction is required. 



Claim Rejections - 35 USC § 112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

5. Claims 9, 10, 14, 17-23, 31 and 32 are rejected under 35 U.S.C. 1 12, second paragraph, 
as being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

6. Claim 9 recites the limitation "the web server" throughout the claim. There is 
insufficient antecedent basis for this limitation in the claim. The Examiner respectfully notes 
that there appears to be at least two separate instances of "a web server" recited in the instant 
claim(lines 6 and 8 respectively), and thus may be unclear which web server such a limitation is 
in reference to. 

7. Claims 10 and 14 recite the limitation "the proxy machine" in line 1 . There is 
insufficient antecedent basis for this limitation in the claim. 

8. Claims 17-23 recite the limitation "the computer recording medium" in line 1. There is 
insufficient antecedent basis for this limitation in the claim. 

9. Claims 31 and 32 recites the limitation "the viral signature patterns" throughout the 
claims. There is insufficient antecedent basis for this limitation in the claim. 



Claim Rejections - 35 USC § 103 

10. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

11. Claims 1-5, 9-11, 15-20, 24-26, 30-32, 34 and 35 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Kindberg et al. (2003/0061515) in view of Haugh (7,231,666) 
and Thiele et al. (2005/0050353). 
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Claim 1: Kindberg et al. discloses a method for maintaining computer security comprising: 

a. providing a signature filefze. a database containing capabilities, etc.) containing 
information about known system vulnerabilitiesf/e. acceptable arguments for a CGI script) [page 
4, paragraph 0054 & page 5, paragraphs 0058-0059]; 

b. at a reverse proxy server residing between at least one client computer and a web 
server [figure 2]: 

i. receiving an incoming message from the at least one client computer, wherein 
the incoming message, if malicious and upon receipt by the web server, automatically 
causes the web server to perform an action which exploits a vulnerability of the web 
serverfz'e. step 600) [figure 6]; 

ii. comparing the received incoming message with the signature file to determine 
whether the incoming message is maliciousfz'e. step 610) [figure 6]; 

iii. and if it is determined to be malicious, blocking the incoming message from 
reaching the web server (ie. request is rejected) [page 4, paragraph 0054]. 
Additionally, Kindberg et al. further discloses that the signature file may also include 

arguments to explicitly exclude which fairly suggests including "signatures" of malicious 
messages to block or the like [page 5, paragraph 0059]; but does not explicitly disclose that the 
signature file contains information comprising a predefined length of a Universal Resource 
Location for a message header; nor comparing a length of a URL in a message header of the 
incoming message with the predefined length in the signature file and if the length of the 
incoming URL exceeds the predefined length, determining that the incoming message is 
malicious and blocking the incoming message from reaching the web server. 
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Nonetheless, Haugh discloses a similar invention and further discloses preventing buffer 
overflow security exploits by utilizing a signature file containing information comprising a 
predefined length of an argument(7e. hard limit); comparing a length of an argument with the 
predefined length in the signature file and if the length exceeds the predefined lengthfz'e. if the 
length of the command line argument being processed exceeds a hard limit), blocking the 
argument [column 5, lines 50-55 & figure 5]. 

Furthermore, Thiele et al. discloses that common computer attacks include buffer 
overflow attacks, malformed URL attacks and forming "signatures" to characterize such attacks 
[page 1, paragraphs 0002 & 0008]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify invention disclosed by Kindbcrg ct al. with the additional features disclosed 
by Haugh . in order to facilitate the identification and prevention of buffer overflow attacks, as 
suggested by Thiele et al. [page 1, paragraph 0005]. 

Claim 9: Kindberg et al. discloses a system for maintaining computer security comprising: 

a. a signature file containing information about known system vulnerabilities, the 
information not including viral signature patterns [page 4, paragraph 0054 & page 5, paragraphs 
0058-0059]; 

b. a web server [figure 2]; 

c. reverse proxy server residing on a processor controlled device between at least one 
client computer and a web server, the reverse proxy server operable to [figure 6]: 

i. receiving an incoming message from the at least one client computer, wherein 
the incoming message, if malicious and upon receipt by the web server, automatically 
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causes the web server to perform an action which exploits a vulnerability of the web 
server [figure 6]; 

ii. comparing the received incoming message with the signature file to determine 
whether the incoming message is malicious [figure 6]; 

iii. and if it is determined to be malicious, blocking the incoming message from reaching 
the web server [page 4, paragraph 0054]. 

Additionally, Kindberg et al. further discloses that the signature file may also include 
arguments to explicitly exclude which fairly suggests including "signatures" of malicious 
messages to block or the like [page 5, paragraph 0059]; but does not explicitly disclose that the 
signature file contains information comprising a predefined length of a Universal Resource 
Location for a message header; nor comparing a length of a URL in a message header of the 
incoming message with the predefined length in the signature file and if the length of the 
incoming URL exceeds the predefined length, determining that the incoming message is 
malicious and blocking the incoming message from reaching the web server. 

Nonetheless, Haugh discloses a similar invention and further discloses preventing buffer 
overflow security exploits by utilizing a signature file containing information comprising a 
predefined length of an argumentfz'e. hard limit); comparing a length of an argument with the 
predefined length in the signature file and if the length exceeds the predefined lengthfz'e. if the 
length of the command line argument being processed exceeds a hard limit), blocking the 
argument [column 5, lines 50-55 & figure 5]. 
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Furthermore, Thiele et al. discloses that common computer attacks include buffer 
overflow attacks, malformed URL attacks and forming "signatures" to characterize such attacks 
[page 1, paragraphs 0002 & 0008]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify invention disclosed by Kindberg et al. with the additional features disclosed 
by Haugh, in order to facilitate the identification and prevention of buffer overflow attacks, as 
suggested by Thiele et al. [page 1, paragraph 0005]. 

Claim 16: Kindberg et al. discloses a computer storage medium containing code for maintaining 
computer security comprising: 

a. providing a signature file containing information about known system vulnerabilities, 
the information not including viral signature patterns [page 4, paragraph 0054 & page 5, 
paragraphs 0058-0059]; 

b. at a HTTP reverse proxy server residing between at least one client computer and a 
web server [figure 2]: 

i. receiving an incoming message from the at least one client computer, wherein 
the incoming message, if malicious and upon receipt by the web server, automatically 
causes the web server to perform an action which exploits a vulnerability of the web 
server [figure 6]; 

ii. comparing the received incoming message with the signature file to determine 
whether the incoming message is malicious [figure 6]; 

iii. and if it is determined to be malicious, blocking the incoming message from 
reaching the web server [page 4, paragraph 0054]. 
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Additionally, Kindberg et al. further discloses that the signature file may also include 
arguments to explicitly exclude which fairly suggests including "signatures" of malicious 
messages to block or the like [page 5, paragraph 0059]; but does not explicitly disclose that the 
signature file contains information comprising a predefined length of a Universal Resource 
Location for a message header; nor comparing a length of a URL in a message header of the 
incoming message with the predefined length in the signature file and if the length of the 
incoming URL exceeds the predefined length, determining that the incoming message is 
malicious and blocking the incoming message from reaching the web server. 

Nonetheless, Haugh discloses a similar invention and further discloses preventing buffer 
overflow security exploits by utilizing a signature file containing information comprising a 
predefined length of an argumentf/'e. hard limit); comparing a length of an argument with the 
predefined length in the signature file and if the length exceeds the predefined lengthfze. if the 
length of the command line argument being processed exceeds a hard limit), blocking the 
argument [column 5, lines 50-55 & figure 5]. 

Furthermore, Thiele et al. discloses that common computer attacks include buffer 
overflow attacks, malformed URL attacks and forming "signatures" to characterize such attacks 
[page 1, paragraphs 0002 & 0008]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify invention disclosed by Kindberg et al. with the additional features disclosed 
by Haugh , in order to facilitate the identification and prevention of buffer overflow attacks, as 
suggested by Thiele et al. [page 1, paragraph 0005]. 

Claim 34: Kindberg et al. discloses a method for maintaining computer security comprising: 
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a. providing a signature file containing information about known system vulnerabilities 
the information comprising a predefined length of a Universal Resource Locator ("URL") in a 
message header [page 4, paragraph 0054 & page 5, paragraphs 0058-0059]; 

b. receiving an incoming message from at least one client computer [figure 6]; 

c. comparing a length of a URL in a message header of the incoming message with the 
predefined length in the signature file to determine whether the incoming message is 
malicious(7e. URL having a character string conforming to the length established) [page 4, 
paragraph 0052]; 

d. and if the incoming message is determined to be malicious, blocking the incoming 
message from reaching a web server [page 4, paragraph 0054]. 

Additionally, Kindbcrg ct al. further discloses that the signature file may also include 
arguments to explicitly exclude which fairly suggests including "signatures" of malicious 
messages to block or the like [page 5, paragraph 0059]; but does not explicitly disclose that the 
signature file contains information comprising a predefined length of a Universal Resource 
Location for a message header; nor comparing a length of a URL in a message header of the 
incoming message with the predefined length in the signature file and if the length of the 
incoming URL exceeds the predefined length, determining that the incoming message is 
malicious and blocking the incoming message from reaching the web server. 

Nonetheless, Haugh discloses a similar invention and further discloses preventing buffer 
overflow security exploits by utilizing a signature file containing information comprising a 
predefined length of an argument(7e. hard limit); comparing a length of an argument with the 
predefined length in the signature file and if the length exceeds the predefined length^, if the 
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length of the command line argument being processed exceeds a hard limit), blocking the 
argument [column 5, lines 50-55 & figure 5]. 

Furthermore, Thiele et al. discloses that common computer attacks include buffer 
overflow attacks, malformed URL attacks and forming "signatures" to characterize such attacks 
[page 1, paragraphs 0002 & 0008]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify invention disclosed by Kindberg et al. with the additional features disclosed 
by Haugh, in order to facilitate the identification and prevention of buffer overflow attacks, as 
suggested by Thiele et al. [page 1, paragraph 0005]. 

Claims 2-4, 10 and 17-19: Kindberg et al. , Haugh and Thiele et al. disclose an invention as in 
claims 1, 9 and 16 above and Kindbcre et al. further discloses that the comparing further 
comprises: 

a. parsing the incoming message [page 4, paragraph 0055]; 

b. converting the incoming message into an internal formatfze. specific CGI arguments 
etc.) [page 5, paragraph 0060]; 

c. comparing the converted incoming message with the signature file and determining 
whether the converted incoming message is malicious based on the comparison(7e. list of 
acceptable arguments etc) [page 5, paragraph 0059]; 

d. reassembling the converted incoming message back into its original format prior to 
forwarding it to the web server if it is determined that the code is not malicious and forwarding 
the reassembled message to the web serverfz'e. arugment passed through unchanged, etc.) [page 
5, paragraph 0061]. 
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Claims 5, 11 and 20: Kindberg et al. , Haugh and Thiele et al. disclose an invention as in claims 
1, 9 and 16 above and Kindberg et al. further discloses that the signature file contains 
information about known system vulnerabilities^, acceptable arguments for a CGI script) [page 
4, paragraph 0054 & page 5, paragraphs 0058-0059]. 

Claim 15: Kindberg et al , Haugh and Thiele et al. disclose a system as in claim 10 above and 
Kindberg et al. further discloses that the signature file is linked to the HTTP message analyzer 
module(7e. list of acceptable arguments) [page 5, paragraph 0058]. 

Claims 24-26: Kindberg et al. , Haugh and Thiele et al. disclose a method, system and computer 
storage medium as in claims 1, 9 and 16 above, and Kindberg et al. further discloses that the 
incoming message comprises an HTTP messages [abstract]. 

Claims 30-32: Kindberg et al. , Haugh and Thiele et al. disclose the invention of claims 1, 9 and 
16, and Kindberg et al. further discloses that the information comprises a list of known system 
vulnerabilities; and comparing the received incoming message with the signature file to 
determine whether the incoming message is malicious comprises determining whether the 
incoming message is malicious by determining whether one or more characteristics of the 
incoming message satisfy one of the vulnerabilities on the list of known system 
vulnerabilities (ie. character string length is not a bogus argument, etc.) [page 5, paragraph 
0058-0059]. 

Claim 35: Kindberg et al , Haugh and Thiele et al. disclose a method as in claim 34 above and 
Haugh further discloses: 

a. the predetermined length indicates a maximum amount of data that may be stored in a 
buffer of the web server before the buffer overflowsfz'e. components used in preventing exploits 
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based on buffer overflow ...places limitations on the size of individual input parameters to 
prevent arguments from exceeding a selected size) [column 3, lines 63-67 | column 4, lines 1-5]; 

b. the length of the incoming URL indicates an amount of data that the incoming 
message will attempt to store on the buffer if the incoming message is received by the web 
server(7e. if length does exceed hard limit) [column 5, lines 50-55]; and 

c. the step of determining that the incoming message is malicious comprises determining 
that the incoming message is capable of causing the buffer to overflow/z'e. a security action is 
performed in response to detecting data for the data buffer having a size greater than a 
designated size) [column 1, lines 63-67]. 

12. Claims 6-8, 12-14 and 21-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kindberg et al. (2003/0061515) in view of Haugh (7,231,666) and Thiele 
et al. (2005/0050353) and further in view of Cambridge (7,080,000). 

Claims 6, 12 and 21: Kindberg et al , Haugh and Thiele et al. disclose a method, system and 
computer storage medium as in claims 1, 9 and 16 above, but does not explicitly disclose that the 
signature file is made available through a web server. However, Cambridge discloses a similar 
method, system and computer storage medium and further discloses that the signature 
f\\Q(antivirus database) is made available through a web server (antivirus server) [abstract]. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of invention 
to make the signature files available through a web server. One would have been motivated to 
do so in order to make signature file updates easily accessible. 

Claims 7, 13 and 22: Kindberg et al , Haugh and Thiele et al. disclose a method, system and 
computer storage medium as in claims 1, 9 and 16 above, but does not explicitly disclose 
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continuously updating the signature file. However, Cambridge discloses a similar method, 
system and computer storage medium and further discloses continuously updating the signature 
^(antivirus data file) [column 2, lines 63-67]. Therefore, it would have been obvious to one of 
ordinary skill in the art at the time of invention to continuously update the signature file. One 
would have been motivated to do so in order to be able to detect the latest viruses, which are 
constantly being created. 

Claims 8, 14 and 23: Kindberg et al. , Haugh and Thiele et al. disclose a method, system and 
computer storage medium as in claims 1, 9 and 16 above, but does not explicitly disclose 
periodically downloading the signature file in order to make its copy current. However, 
Cambridge discloses a similar method, system and computer storage medium and further 
discloses periodically downloading the signature files (receiving a new antivirus file at one of the 
user computers) in order to make its copy current [abstract]. Therefore, it would have been 
obvious to one of ordinary skill in the art at the time of invention to periodically download the 
signature files. One would have been motivated to do so in order to be able to detect the latest 
viruses, which are constantly being created. 

13. Claim 33 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kindberg et 
aL (2003/0061515) in view of Haugh (7,231,666) and Thiele et al. (2005/0050353) and 
further in view of El-Rafle (6,968,394). 

Claim 33: Kindberg et al. , Haugh and Thiele et al. disclose the method of claim 1, and Kindberg 
et al. further discloses logging user requests and in particular logging the user identity [page 4, 
paragraph 0056], but does not explicitly disclose that if the incoming message is determined to 
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be malicious, identifying the first computer; and automatically blocking future messages 
received from the first client computer. 

However, El-Rafie discloses a similar method and further discloses monitoring requests 
and identifying/blocking malicious users from future requestsfze. determining rogue user 
terminals and blocking data flow to the offending IP address, etc.) [column 26, lines 10-61]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the method disclosed by Kindberg et al. with the features disclosed by El- 
Rafie in order to automatically provide a more selective access to resources within a network, as 
suggested by Kindberg et al. [page 1, paragraph 0012]. 

Response to Arguments 
14. Applicant's arguments with respect to the pending claims have been considered but are 
moot in view of the new ground(s) of rejection. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The 
examiner can normally be reached on Monday through Thursday 9:00AM-5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

EZ 

August 10, 2009 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



